Keranger – Overview – Technical Information – Route of Infection – Correspondence Situation of Xprotect – Common Point with Linux.Encoder

Total Page:16

File Type:pdf, Size:1020Kb

Keranger – Overview – Technical Information – Route of Infection – Correspondence Situation of Xprotect – Common Point with Linux.Encoder FFRI,Inc.FFRI, Inc. The Advent of New Ransomware Fourteenforty ResearchTargeting Institute, The Mac Inc. OS X FFRI, Inc. http://www.ffri.jp FFRI,Inc.FFRI, Inc. Table of Contents • Background • KeRanger – Overview – Technical Information – Route of Infection – Correspondence situation of XProtect – Common point with Linux.Encoder • Measures for Ransomware • Conclusion/Wrapup 2 FFRI,Inc.FFRI, Inc. Background • In Japan, it has been reported many damage caused by ransomware such as TeslaCrypt 3.0 and Locky from the end of 2015. • These malware are targeting a Windows PC primarily because it does not work with devices operating at the *nix based OS. • However, ransomware which has targeted the Linux server has been discovered in October 2015. Furthermore, new ransomware which is working completely in Mac OS X has been discovered in March 2016. • In this slide, we describe focused on KeRanger a ransomware of Mac OS X. 3 FFRI,Inc.FFRI, Inc. KeRanger: Overview • A Ransomware which is working completely for the first time in Mac OS X that reported by Palo Alto Networks. • Characteristics – Disguised in Transmission (BitTorrent client app). – To avoid the Gatekeeper by a valid code signing. – After infection, to encrypt a specific area through the hiding period of 3 days. • Current Status – Apple • Revoked the certificate. • Added a signature to XProtect. – Client app • It has been replaced to legitimate app. Source: https://www.transmissionhttps://www.transmi ssionbt.com/bt.com/ 4 FFRI,Inc.FFRI, Inc. KeRanger: Technical Information <Trojan> • Contamination of malware – The executable (Mach-O) file that disguised itself as an RTF file is included in disguised DMG file. – The malicious file need to unpack before analysis because it is packed with UPX 3.91. 5 FFRI,Inc.FFRI, Inc. KeRanger: Technical Information <Code signing> • Signature information – In OS X, it is possible to dump the signature information by using the “codesign” command. $ codesign -d -vvvv Transmission.app ---- 省略 ---- Authority=Developer ID Application: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=2016/03/04 11:03:57 ---- 省略 ---- – From the above, it can be seen infected application is being signed on March 4, 2016 by using the official certificate by Apple. 6 FFRI,Inc.FFRI, Inc. KeRanger: Technical Information <Hiding Period> • About the hiding period – KeRanger encrypt some specific area through the hiding period of 3 days. – During the hiding period, KeRanger is checking the time every 5 minutes. – The encryption is executed to files which have specific extension in “/Users” and “/Volume”. • 300 kinds of extension has been registered in KeRanger. 7 FFRI,Inc.FFRI, Inc. KeRanger: Route of Infection #2 Do nothing immediately #1 There is a possibility that has after installation. been uploaded disguised DMG file on or after March 4, 2016 from the signature information. The DMG file on the official public server had been replaced because the user is not suspected. C2 server in the Tor network #3 Through a hiding period of 3 days (259,300 secs) to access the onion domain, it receives the public key and threatening statement after sending to the hardware ID of the Mac to the C2 server. #4 Performs the encrypted with acquired public key, then generates a threatening statements. 8 FFRI,Inc.FFRI, Inc. Correspondence Situation of XProtect • As a result of KeRanger discovery, Apple invalidated the certificate and added new signature to XProtect with update. 9 FFRI,Inc.FFRI, Inc. Common point with Linux.Encoder • KeRanger is pointed out that a rewrite of the ransomware for Linux server that was discovered in October 2015. • For example: – Libraries used for encryption with high probability the same. • The function symbol names used also encrypt both malware begins with “mbedtls_” because it is possibility of using PolarSSL known as lightweight libraries. – Almost the same threatening statements file. • Both malware generate README_FOR_DECRYPT.txt because details (e.g. payment procedures, etc.) are described in this file. 10 FFRI,Inc.FFRI, Inc. Measures for Ransomware • If you’ve been infected with ransomware, we do not recommend that you pay to the attacker because recovery of damage is not the trustworthy promise. • There are example of countermeasures and mitigations below. – Security updates of the OS and apps will be conducted regularly. – Not to install or run apps that are signed by an untrusted publisher. • In the case of KeRanger, above-mentioned measure is not enough because it is signed by official certificate which was issued by Apple. • On the other hand, it can be determined that it is suspicious app by checking the difference of the signature because the developer ID is different from the previous version. – Increase the recoverable point by regularly conducts the backup. • We recommend to consider combination of the file server for backup because we found the code that KeRanger developer also tried to encrypt the Time Machine files for backup. 11 FFRI,Inc.FFRI, Inc. Conclusion/Wrapup • Recently, most of ransomware had targeted a Windows PC. However, it has been clearly that OS X and Linux have been also targeted from ransomware by the discovery of KeRanger and Linux.Encoder. • Considering the similarity of KeRanger and Linux.Encoder, it is possibility the code is leaked to the black market or have been created by the same developer. • Some researchers have pointed out that the legitimate certificate is sold on the black market. Therefore, a malware which is possible to bypass Gatekeeper is likely to emerge again. • Ransomware will easy to monetize for the attacker. Care must be taken because it is assumed to increase damage in the future. 12 FFRI,Inc.FFRI, Inc. References • TRANSMISSION – A Fast, Easy, and Free BitTorrent Client – https://www.transmissionbt.com/ • NEW OS X RANSOMEWARE KERANGER INFECTED TRANSMISSION BITTORRENT CLIENT INSTALLER – http://researchcenter.paloaltonetworks.com/2016/03/new-os-x- ransomware-keranger-infected-transmission-bittorrent-client- installer/ • Mac上で完全に動作するランサムウェア 「KeRanger」 を実行させてみた。 – http://applech2.com/archives/48035822.html • KeRanger Is Actually A Rewrite of Linux.Encoder – https://labs.bitdefender.com/2016/03/keranger-is-actually-a- rewrite-of-linux-encoder/ • サイバー犯罪者に人気の商品 「コード証明書」 – http://asmarterplanet.com/jp-security/blog/2015/10/97.html 13 .
Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • 2016.4 Vol.28 Mac はマルウェアから 100%安全か
    2016.4 Vol.28 Mac はマルウェアから 100%安全か セキュリティプレス・アン Mac 向けセキュリティソリューション AhnLab V3 365 Clinic for Mac Mac はマルウェアから 100%安全か AppleのMacは、多くの人にマルウェアから安全だと思われている。しかし実際はWindowほどではないにせよ、Mac向けのマルウ ェアもマルウェア史の初期から存在し続けていた。それは現在も同じで、Macも安全地帯ではないということだ。 今回のプレス・アンでは、最新Mac向けマルウェアの特徴を分析し、Mac環境を保護する方策を探る。 Appleのマッキントッシュ(Macintosh、以下Mac)に対するユーザーの信頼は厚く、次のような挿絵からも見て取れる。コンピューター使用中感電し たキャラに、「コンピューターに異常はないかい?」と聞いたところ「これはMacだから大丈夫」と断言する内容である。 [図1] The Brads- Impossible 2 セキュリティプレス・アン その信頼はセキュリティに関しても絶大で、どうやらMacは安全な環境であると思われているらしい。しかし前述のようにMac向けマルウェアは昔か ら存在していたし、Macの運営環境である「OS X」に移行してから10年間、脅威は持続的に発見されている。もちろんWindowに比べればMac向け マルウェアが少ないのは確かだが、最近発見されるマルウェアの傾向を見るとMacもまたマルウェアの安全地帯ではないことが分かる。最近登場して いるMac向けマルウェアの特徴を分析し、Macを保護するソリューションを見てみよう。 主なMacマルウェア 現在のMacも多くの進化を遂げた。プロセッサやOSの変化により、[図2]のようにOS環境がOS Xに変更された前後で発見されたマルウェアは異なる。 初期 偽装した セキュリティ プログラム リリース リリース [図2] Mac向けマルウェア史タイムライン OS X移行後に登場したマルウェアに関する詳細情報は次の通りだ。 マルウェア(発見時期) 特徴 備考 Renepo -システムセキュリティ設定: 低 -OS X 初のマルウェア (2004) -OS X ファイアウォール解除 -2004/3/3、ニックネーム DimBulbが「Macintosh Underground -ソフトウェアアップデート機能解除 forum」に参加後、3/13からスクリプトワームに対して掲載し、フォーラ -ohphoneX(ボイス及びビデオ共有)、d ムの参加者とマルウェア作成を開始。9/10の掲載バージョンが10/23に sniff(暗号スニファ)、John the Rippe 外部に知れ渡り、10/24から大炎上したことから作成を放棄 r(暗号クラック)をダウンロードインストール -Apple社ではマルウェアではないと否認し、対応せず RSPlug(Dnschanger) -DNSアドレスを変更してフィッシングサイ -使用者に実害を与えた初のOS X向けマルウェア (2007.10) トに誘導し、金銭的要求 3 セキュリティプレス・アン マルウェア(発見時期) 特徴 備考 MacSweeper -常に何かを診断し、購入要求 -OS X初の偽装アンチウィルスプログラム (2008.1.17) -KiVVi Softwareで作成し、強制マーケティングに使用したことで公式謝 罪 -2011/5以降Mac Defender、Mac Protector、Mac Security、 Mac Guard、Mac Shieldなど偽装プログラムが大幅に増加 -Apple社は同年5月末セキュリティアップデートを行い、偽装アンチウィルス
    [Show full text]
  • Ransomware Is Here: What You Can Do About It?
    WHITEPAPER Ransomware is Here: What you can do about it? Overview Over the last few years, ransomware has emerged as one of the most devastating and costly attacks in the hacker arsenal. Cyber thieves are increasingly using this form of attack to target individuals, corporate entities and public sector organizations alike by holding your system or files for ransom. Unlike other forms of cyber theft that often involve stolen financial or healthcare information, ransomware cuts out the middleman. In cases where an attacker steals health or financial documents, they must sell them on to third parties to make money. As far as ransomware is concerned, the money comes directly from the victim. Ransomware is a quickly growing threat vector. According to the FBI’s Internet Crime Complaint center (IC3), infected users made complaints about ransomware 2,453 times in 2015—nearly double the figure for 2014. What’s more, these figures most likely represent only the tip of the iceberg, as many users pay their ransom without making a report to the authorities. A recent survey conducted by a Cyber Security Research Center at the University of Kent found that over 40% of those infected with CryptoLocker actually agreed to pay the ransom demanded, which is a big incentive for hackers to target more systems. Lastly, hackers are rapidly iterating both malware and distribution techniques. In early Q2 of 2016, a new variant of ransomware, known as CryptXXX, emerged on the scene. This program is packed in such a way that users and antivirus software may initially confuse it for a Windows DLL file.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Best Practices to Protect Against Ransomware, Phishing & Email Fraud
    WHITE PAPER Best Practices for Protecting Against Phishing, Ransomware and Email Fraud An Osterman Research White Paper Published April 2018 SPON Osterman Research, Inc. P.O. Box 1058 • Black Diamond • Washington • 98010-1058 • USA +1 206 683 5683 • [email protected] www.ostermanresearch.com • @mosterman Executive Summary • Various types of security threats are increasing in number and severity at a rapid pace, most notably cryptojacking malware that is focused on mining coins for the roughly 1,400 cryptocurrencies currently in use. • Organizations have been victimized by a wide range of threats and exploits, most notably phishing attacks that have penetrated corporate defenses, targeted email attacks launched from compromised accounts, and sensitive or confidential information accidentally leaked through email. • Threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social engineering attacks. The result is that the perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations. • Decision makers are most concerned about endpoints getting infected with malware through email or web browsing, user credentials being stolen through email-based phishing, and senior executives’ credentials being stolen through email-based spearphishing. • Four of the five leading concerns expressed by decision makers focus on email as the primary threat vector for cybercriminal activity, and nearly one-half of attacks are focused on account takeovers. Many organizations • Most decision makers have little confidence that their security infrastructure can adequately address infections on mobile devices, are not CEO Fraud/BEC, and preventing users personal devices from introducing malware into the corporate network.
    [Show full text]
  • ATTACK LANDSCAPE UPDATE Ransomware 2.0, Automated Recon, Supply Chain Attacks, and Other Trending Threats
    ATTACK LANDSCAPE UPDATE Ransomware 2.0, automated recon, supply chain attacks, and other trending threats Attack Landscape Update 1 CONTENTS Foreword: 2020 proved that our health data really is a target 3 Introduction 5 Trending Threats 6 Ransomware 2.0 6 Infostealers and automated recon 9 Dodging detection 13 Email threats: Coming to an inbox near you 14 You’ve got mail malware 14 Phishing for sensitive data 17 COVID-themed spam continues to spread 20 Vulnerabilities: The legacy of unpatched software 21 Legacy systems, legacy vulns 22 The vulnerabilities of 2020 23 Honeypots:Tracking opportunistic attacks 24 Conclusion 28 Attack Landscape Update 2 FOREWORD: 2020 PROVED THAT OUR HEALTH DATA REALLY IS A TARGET By Mikko Hypponen For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of evil hackers? Isn’t it true that they’re after my medical history?” they have asked. For years my answer has been: “No, it’s not.” Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images. But now I’m changing my mind. The reason? The rise in attacks against hospitals, medical research units, and even patients that has occurred during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised.
    [Show full text]
  • Fraud; Recognition & Prevention
    Fraud; Recognition & Prevention Issue 10 July 2021 WORLD LEADERS IN PIONEERING BODY WORN VIDEO TECHNOLOGY Proud to be supporting the return of these LIVE events across the UK in Autumn 2021... The Emergency Services Show 7th and 8th September | NEC Birmingham | stand L85 International Security Expo At the forefront 28th and 29th September | London Olympia | stand C2 of mobile, digital BAPCO Annual Conference & Exhibition evidence gathering 12th and 13th October | Ricoh Arena Coventry | stand C20 technology since 2005. FIND OUT MORE: WWW.AUDAXUK.COM | [email protected] | WWW.VIMEO.COM/SHOWCASE/AUDAXGLOBAL 2 Foreword: Well at long last there is light at the end of the very long COVID tunnel. As numerous industries start to return to normal, or are even doing better than anticipated, due to the economic defibrillator that the lifting of restrictions represents to so many. I am personally seeing a shortage of trained and licenced security officers in several sectors. Just maybe, this will force a rise in contract charge rates, and drive salaries up! I can but hope. One sector of society that have enjoyed lockdown and has made a fortune from an unexpectedly housebound population, are the fraudsters and con artists….. There has never been such a deluge of online cons, telephone scams and fake NHS sites selling tests, vaccines and all manner of bogus stuff, all capitalising on the understandable fears and concerns of the nation, and the desire we all have to protect and do the best for our families and loved ones. What can you do to protect yourself and those you hold dear, from this non-stop deluge of lies, cons, misinformation and very clever schemes designed to part you from as much money as possible? As luck would have it, amongst other things, this issue is taking a look at the many devious faces of fraud, and some of the top experts in their fields have contributed some great advice and guidance designed to help you avoid the many traps that the criminal fraternity have set for the unwary.
    [Show full text]
  • History of Ransomware
    THREAT INTEL REPORT History of Ransomware What is ransomware? Ransomware is a type of malicious software, or malware, that denies a victim access to a computer system or data until a ransom is paid.1 The first case of ransomware occurred in 1989 and has since evolved into one of the most profitable cybercrimes. This evolution is charted in Figure 1 at the end of the report, for easy visual reference of the timeline discussed below. 1989: The AIDS Trojan The first ransomware virus was created by Harvard-trained evolutionary biologist Joseph L. Popp in 1989.2 Popp conducted the attack by distributing 20,000 floppy discs to AIDS researchers from 90 countries that attended the World Health Organizations (WHO) International AIDS Conference in Stockholm.3 Popp claimed that the discs contained a program that analyzed an individual’s risk of acquiring AIDS through a risk questionnaire.4 However, the disc contained a malware program that hid file directories, locked file names, and demanded victims send $189 to a P.O. box in Panama if the victims wanted their data back.5 Referred to as the “AIDS Trojan” and the “PS Cyborg,” the malware utilized simple symmetric cryptography and tools were soon available to decrypt the file names.6 The healthcare industry remains a popular target of ransomware attacks over thirty years after the AIDS Trojan. 2005: GPCoder and Archiveus The next evolution of ransomware emerged after computing was transformed by the internet in the early 2000s. One of the first examples of ransomware distributed online was the GPCoder 1 “Ransomware,” Cybersecurity and Infrastructure Security Agency, 2020, https://www.us- cert.gov/Ransomware.
    [Show full text]
  • And You Thought It Could Not Get Worse
    And You Thought It Could Not Get Worse Joe Vigorito/Director, Mobility & Security Annese & Associates, Inc. Sad State of Security “Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions–such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a company’s network is easier than it sounds.” Costin Raiu Director, Global Research & Analysis Team Kaspersky Lab “I could teach a third-grader to do it.” Darren Martyn aka “PwnSauce” LulzSec After hacking senate.gov in 2011 The Current State of Cybersecurity is Not Nearly Good Enough, and is getting worse all the time! Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally Not getting worse? Lets look… • Yahoo! – Perpetrator unknown.
    [Show full text]
  • Security Security
    network SECURITY ISSN 1353-4858 October 2016 www.networksecuritynewsletter.com Featured in this issue: Contents The DNC server breach: who did it and what does NEWS US officially accuses Russia of DNC hack while it mean? election systems come under attack 1 n June 2016, the computer networks of what does it tell us about the role of FEATURES Ithe US Democratic National Committee cyber-attacks in modern politics? And The DNC server breach: who did it (DNC) were hacked. As a result, a number what lessons can organisations learn for and what does it mean? 5 of documents were leaked online. their own security? Michael Buratowski In June 2016, the computer networks of the US Democratic National Committee (DNC) were Security companies analysed the breach of Fidelis Cyber-security examines the hacked. As a result, a number of documents were and quickly came to the conclusion that hack and draws some conclusions. leaked online. Security companies analysed the breach and quickly came to the conclusion that the hackers were based in Russia. But Full story on page 5… the hackers were based in Russia. But what does it tell us about the role of cyber-attacks in modern Ransomware: taking businesses hostage politics? And what lessons can organisations learn for their own security? Michael Buratowski of uropol recently declared ransomware criminals apparently turning their atten- Fidelis Cybersecurity examines the hack and draws Eto be the biggest cyber-threat facing tions to those that are most vulnerable, some conclusions. European businesses and citizens. Both such as hospitals. The ransomware itself RANSOMWARE SPECIAL the nature of the chief targets and the is evolving too, and while some of it is Taking businesses hostage 8 ways in which they are being attacked poorly executed, the most advanced strains Ransomware is a rapidly growing menace.
    [Show full text]
  • Ransomware V.1 - 1 - © Copyright Profit
    Ransomware v.1 - 1 - © Copyright PROFiT PROFiT Prevention of Fraud in Travel www.profit.uk.com INDUSTRY BRIEFING NOTE no. 6 _____________ _____ ________________________________________ _____________________________________________________________________________________________________________________________ _____________________________________________________________________________________________________________________________ ______ _________________________________________________________________________________________________________________________ ________ RANSOMWARE Part 1 of 2 DISCLAIMER PROFiT has put together this information in good faith using information from partners and internet sources in order to help organisations suffering a ransomware attack. We have not checked any links or websites that are mentioned and cannot verify the credenti als of any organisation or website mentioned nor guarantee that any of the decrypt tools will work. Accordingly you should always proceed with caution. Any materials, opinions and advice given in this publication are for information only based on data av ailable to the authors and are correct at the time of publication. The authors do not accept liability for any mistakes, errors, or omissions that subsequently come to light. The contents of this publication may not reflect the views of some of the organ isations listed. BACKGROUND The concept of r ansomware is very simple. Once a computer is infected by ransomware malware it launches a ‘packet ’ containing an algorithm which then silently encrypts (the process of converting information or data into a code) the user's data. Once the encryption is complete the ransomware displays a message demanding a p ayment – usually in Bitcoins – in order to obtain the key to decrypt the data. Often the ransom d emand comes with a deadline, and if payment is not received by that deadline, the ransom demanded may increase , the files may be locked permanently, or the files may be destroyed .
    [Show full text]
  • Master Thesis Detecting Malicious Behaviour Using System Calls
    Master thesis Detecting malicious behaviour using system calls Vincent Van Mieghem Delft University of Technology Master thesis Detecting malicious behaviour using system calls by Vincent Van Mieghem to obtain the degree of Master of Science at the Delft University of Technology, to be defended publicly on 14th of July 2016 at 15:00. Student number: 4113640 Project duration: November 2, 2015 – June 30, 2016 Thesis committee: Prof. dr. ir. J. van den Berg, TU Delft Dr. ir. C. Doerr, TU Delft, supervisor Dr. ir. S. Verwer, TU Delft, supervisor Dr. J. Pouwelse, TU Delft M. Boone, Fox-IT, supervisor This thesis is confidential and cannot be made public until 14th July 2016. An electronic version of this thesis is available at http://repository.tudelft.nl/. Acknowledgements I would first like to thank my thesis supervisors Christian Doerr and Sicco Verwer for their supervision and valuable feedback during this work. I would also like to thank Maarten Boone from Fox-IT. Without his extraordinary amount of expertise and ideas, this Master thesis would not have been possible. I would like to thank several people in the information security industry. Pedro Vilaça for his work on bypassing XNU kernel protections. Patrick Wardle and Xiao Claud for their generosity in sharing OS X malware samples. VirusTotal for providing an educational account on their terrific service. Finally, I must express my very profound gratitude to my parents, brother and my girlfriend for pro- viding me with support and encouragement throughout my years of study and through the process of researching and writing this thesis.
    [Show full text]